- From: Kevin J. Dyer <kjd4951@aries1.draper.com>
- Date: Tue, 04 Feb 1997 14:27:06 -0500
- To: www security <www-security@ns2.rutgers.edu>, www-talk@w3.org
> Your last point -- ease of use -- is genius. All security is relative
> and making password changing obscure and difficult to do means people --
> most people -- just won't do it. On the other hand, if the system keeps
> forcing them to change their password too often, they will write the
> password on their monitor. I believe that security is an emergent
> property of the whole system, and we need to balance the security gained
> against the cost and effort, most of which are borne by the user. Too
> often we just address techno-fixes and don't think enough about the user
> impact.
>
> Jim Mirick
> First Bank System www.fbs.com
>
[snip]
>
> Yes. Netcom uses a Web page to change your SLIP/PPP account password.
> I prefer it over the 'telnet -> shell' method my other ISP uses. Netcom
> uses some basic security measures:
> - you have to be logged in from a netcom dialin point.
> - you have to nter you old password before you get acces to the
> password change page.
> - it uses a secure page.
>
> I think this is far superior to the telnet version which uses unencryptet
> transfer.
>
> Another point: Many users these days have no idea about Unix, telnet and
> passwd. They will never change the password if it can not be done easily.
>
>
>
> ------- jullrich@xos.com -------------- http://www.xos.com/ ------------
> Johannes Ullrich | phone: ++1 (518) 442 3394 (direct)
> X-Ray Optical Systems, Inc. | 5250 (main)
> 90 Fuller Rd. | 2632 (voice mail)
> Albany, NY 12205 USA | FAX: ++1 (518) 442 5292
This thread about allowing users to change their passwords via CGI/ Applets
can go on forever. I would like to hear from the community about the
possiblity
of expanding the 4xx codes in HTTP/1.1 to include the following:
416 Re-Validation requested
The username was accepted but the password was challenged again or
the sysadmin expired the password, etc.
The user agent would display a pop-up requesting two fields.
The sever-side of this implementation is very loose depending on the
type of authentication that each server is using. This could allow
users to change their passwords or allow the server to resynch one-
time password cards, etc.
Comments?
Kevin
--
=============================================================================
Kevin J. Dyer Draper Laboratory MS 23.
Email: <kdyer@draper.com> 555 Tech. Sq.
Phone: 617-258-4962 Cambridge, MA 02139
FAX: 617-258-2121
-----------------------------------------------------------------------------
Anyone who slaps a "this page is best viewed with Browser X" label on a
Web page appears to be yearning for the bad old days, before the Web,
when you had very little chance of reading a document written on
another computer, another word processor, or another network.
[Tim Berners-Lee in Technology Review, July 1996]
=============================================================================
Received on Tuesday, 4 February 1997 14:28:39 UTC